Add to collection(s) Add to saved
  1. Business
  2. Management
  3. Project Management

Community Vulnerability Assessment Methodology (CVAM) Ivan

advertisement 
National Response Team
Presentation:
“Security Risk Assessment
Methodologies:
Community VAM
3/3/3
Presented By: Gloria E Chavez
Sandia National Laboratories
Community Vulnerability
TM
Assessment Methodology (CVAM )
“Snapshot” of Community
Process: today's message





Community Vulnerability Assessment
Methodology (CVAMTM) process
Process is copyrighted / licensed to ensure
appropriate use of training materials by qualified
trainers and so resulting information is protected
Part of the “family” of center processes for
infrastructure
Part of Center for Civil Force Protection
Focus is on “planning” to allow appropriate
response and to mitigate consequences by
identifying weaknesses in systems
Vulnerability Assessment
(VA)…What Is It
Vulnerability assessment is
• A systematic approach
•Used to determine relative risk
•Based upon the effectiveness of a protection
system
•Considering the consequences
•Resulting from a likely threat
Community Vulnerability Assessment Methodology
• Builds on prior VAM / RAM development – nuclear
sites, dams, water, chemical facilities, prisons/jails
• Goals
• Useable by public safety personnel, emergency
planners, private industry employees – don't
need to be a "techie"
• Useful -provides information which significantly
contributes to making security risk
management decisions
Reasons for a Community
VA include:







Identify vulnerabilities in a systematic way (minimize gaps)
For important vulnerabilities, communities may be able to
request additional resources
For significant identified vulnerabilities, community may consider
ways to mitigate – such as provide a backup for a vulnerable
mission with no existing backup
Can use identified vulnerabilities to better plan future projects
i.e., two communication routes (backup)
Can help prepare, in event of attack, to mitigate consequences
Helps communities make security decisions based on a process
including risk assessment
Community may decide to improve response or an aspect of
physical security
Scope of Analysis





Screening Analysis
Characterize a Community, critical
Facilities & Consequences
Define the Threat and Likelihood of
Attack
Review Physical Protection Systems
Make Observations and
Recommendations
Community Vulnerability Assessment Process
Screening, Team,
Decisions/ Risks
Planning
Characterize
Assets
Facility Characterization, ID Targets
Determine
Consequences
Site Specific Consequence Table,
Prioritize Targets
Community Protection Goals:
Defined Threat (DT)
Define
Threats
Other
Action
Cost
?
Benefit
Analysis
R=PA*(1-PE)*C
Define
Safeguards
Analyze
System
Understand PPS: Detect,
Delay, Response
System Effectiveness,
Scenario Analysis
Risks
Acceptable
?
Risks
Upgrade PPS, Mitigate Consequences
Proposed Upgrades/ Actions
N
Y
End
CVAM
TM
process consists of
Community Screening workshop
(optional)
 Training Course on VA Process
-including VA on selected facilities
 Follow-up visit/assist on reporting
(optional)

Who is Involved in the
Process?



Players for a community include decision makers in
the community working with emergency
management, police, risk management, fire
departments, civic leaders, financial leadership,
chamber of commerce, others
Process takes time and requires information about
the community
Process requires difficult decisions (…what is an
acceptable risk?)
CVAMTM Course


We teach a Vulnerability Assessment Course, not a
Security Assessment Course
The course, for a community, is an intense week of:



class material describing process
Exercises, based on facilities in community, to demonstrate
the process
We also teach a “trainer course” for qualified trainers
with backgrounds in training and community policing,
or risk management
Community Screening 



Definition: Selecting facilities of most
concern, using a documented process
Requires participation by decision
makers in a community
Uses Consequence Analysis,
determination of acceptable risk
First Step in Process
CVAMTM Screening: Consequence
and Target Identification
Severity of Undesirable Consequences
•
Loss of human life
•
Loss of revenue
•
Loss of vital equipment
•
Loss of vital capabilities
CVAMTM Community
Characterization: Many elements
Communications

Power/Electric

Gas/Oil

Industry





Water

Government
Transportation
Emergency
Foreign Represented
Governments
Recreational Venues
Banking/Financial

Education



Special Classification
Development of Defined
Threat (DT) for a Community
List, collect and organize information for DT
1. Use historical and current intelligence data
2. Threat policy may be specified by community
leaders or others
3. Consider developing a range of potential
threats
4. Use a combination of above
Collect Threat Information

National and international sources




Intelligence organizations
Literature search, crime studies, analysis
Professional organizations
Local sources


Local police agencies
Local professional organizations



Industry
Security
City, county, state agencies
Lots of Weapon Options:Bushmaster
(used in Virginia -$750)…web site
Discuss Adversaries:
Adversary Types Overlap
(collusion is possible), Insiders…
Terrorist
(fear)
Extremist
(Cause)
Criminal
(Gain)
Insiders
???
Potential Agents




Biological
Chemical
Radiological
Explosive
Want to Buy something Radioactive??…Go to the web…
• Reactor Fuel Pellets
Uranium Oxide
Reactor Fuel Pellet
( 10mm X 15mm )
16,000 cpm
Reactor Fuel Pellet:
$100.00
These are Uranium Oxide Fuel Pellets made of highly compressed
Uranium Oxide.
They are from a "Slow-Poke" Ammonia-Cycle Nuclear
Reactor and are slightly out of spec. Each is 10mm in diameter
and 15mm long.
•Uranium Ore - Super High Radiation Level
Physical Protection Systems (PPS)

Potential PPS objectives are:





PPS and their objectives will vary


Protect lives
Protect property
Prevent loss of services
Other
Consequence mitigation may be option
PPS includes detection, delay, response
Risk Equation: R=PA*(1-PE)*C
• Equation is discussed and estimated
values obtained for parameters,
given existing community PPS
• What happens with upgrades?
• Data is often poor or missing for
communities
• Now What?…
Security is a Continuum
Approach:
“Buy Cameras”
“Manuals”
“Performance Tests,
Analysis, Computer Models
Typical Application:
homes
homes
new construction
nuclear facilities
low risk
low - moderate
moderate – high
high consequence
risk facilities
profile
government
How Much Is Enough?
*Consequences
*Military Action
What to protect
against?
What’s important?
Mission
*Liabilities
*Crime
How well are
you protected?
*Terrorism
*Is risk acceptable
*Operational trade-off
Decisions
*Cost options
Goal in Performing a Community VA:
Identify Where Vulnerabilities Are, And
Then Decide How to Allocate Resources…
High
Resources = $$$$
$ to Fix
Likelihood
Of
Occurrence
$$ to Fix
$$$$ to Fix
Low
Terrorist
Acts
Violence by
criminals
THREAT
Theft or
vandalism
Community Vulnerability Assessment Methodology
• Focus is on physical protection.
• Considers physical protection systems (PPSs)
•Need to understand how to evaluate PPSs
•But, probably not likely to implement effective
PPSs at community facilities due to cost.
•More likely to use adverse consequence
reduction and mitigation measures (e.g.
insurance, redundant capabilities, improved
response)
•or acceptance of risk.
CVAM
TM







Application To Date
Miami-Dade, Florida
Sterling Heights, Michigan
Bismarck, ND
Hennepin County, MN
Norfolk, VA
Rochester, NY
Albuquerque, NM (Trainer Class)
We learned something new every time
and incorporated improvements
What Have We Learned?





Communities are surprised at identified
vulnerabilities
Communities learn who in their own
community is a resource
May choose to get redundancy (back-up 911
center or incident command center, or
communications equipment, good blueprints)
Need to test procedures and response in
many situations (off-hours, various scenarios)
Lots of requests for help from communities!
Caution for Communities!!!!






Illegal intelligence gathering
Operations Security
Protect information...may have a
”blueprint for attack”
Need to know
Control release of information
Document
What are our plans?



Future community VA training…
VA training program for law
enforcement academies
More Trainer classes
Summary
Community Vulnerability Assessments come
from applying nuclear security approaches
 The CVAM process is a systematic way to
assess vulnerabilities and make decisions
based on risk
 We have a community tested process
 Call me for more information and help
Gloria Chavez
Phone:505-845-8737
Email: gechave@sandia.gov

What is the appropriate response
to a situation? Depends…
Related documents
An extended misuse case notation
An extended misuse case notation
Digital vulnerabilitz atlas of South Asia [PPT, 2.05
Digital vulnerabilitz atlas of South Asia [PPT, 2.05
Chapter 11: Policies and Procedures
Chapter 11: Policies and Procedures
Abstract
Abstract
Executive Level Security Caliber Security Partners is a different kind
Executive Level Security Caliber Security Partners is a different kind
Vendor security questions
Vendor security questions
The foremost goal of the information security function should be to
The foremost goal of the information security function should be to
Tutorial 4SD3043TutorsAnswers
Tutorial 4SD3043TutorsAnswers
Download
advertisement